[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [ecf-dev] authorized_keys removed from build.eclipse.org (was Re: zEclipseGitCloner project failing...auth?)
|
On 11/28/2012 03:48 AM, Markus Alexander Kuppe wrote:
On 11/27/2012 09:30 PM, Scott Lewis wrote:
The ECF builder at [1] seems to be failing on trying to run the
zEclipseGitCloner project [2]. Below is the console output...also see [3].
It looks like it could be something wrong with Markus' eclipse.org
login...mkuppe...although I'm not sure.
Markus do you have any insight about this?
Hi,
it turns out that ~/.ssh/authorized_keys is gone from build.eclipse.org.
After recreating it manually, zEclipseGitCloner authenticates
successfully again [1]. According to logs, the cloner had started to
fail in November (last successful run in 10/26).
Webmasters are CCed, to find out if this incident should cause any
suspicion.
Thanks
Markus
[1] https://build.ecf-project.org/jenkins/job/zEclipseGitCloner/284/console
Markus,
As you may know, the Eclipse Webmasters do not allow our own Hudson
instance, at hudson.eclipse.org to write to our code repositories. While
we acknowledge that this creates inconveniences for our committers, we
feel it is an important part of maintaining secure, yet open systems
which are accessible to all.
If I understand correctly, you've installed keys on a remote server,
allowing it to log in to Eclipse.org servers on your behalf to write to
the ECF Git code repository. The remote server, the Jenkins application
and the server's SSH service are all publicly accessible. Your remote
build process ceased to function on October 26 as a result of the
unknown removal of your Eclipse account's authorized_keys file.
Our logs show that your Eclipse.org account was accessed successfully
via keyed authentication on build.eclipse.org on October 25, 2012 at
6:02 local time. We've examined your shell command history, and that
history contains commands that would remove the authorized_keys file.
Since you have no recollection of making the changes yourself, and since
the keys to your Eclipse.org account reside on a publicly accessible
server whose security integrity we cannot ascertain, I must conclude
that your Eclipse.org account has been compromised. To protect
Eclipse.org's servers, our code and our service availability I have
disabled your account and have blocked SSH access originating from your
remote server.
We will audit your account's activity on our servers to ensure it was
not used as a mechanism to gain elevated access or to penetrate remote
systems. If you wish to regain access to your account, please feel free
to work with Wayne Beaton (cc'd) and myself to implement a build process
that does not risk compromising your account and the Eclipse.org servers.
Denis
--
--
Eclipse Webmaster -- http://www.eclipse.org/
http://wiki.eclipse.org/Webmaster_FAQ